Can government and industry solve the security/privacy equation?

By William Jackson

Jul 07, 2011

A House committee on July 7 wrestled with the question of how to craft cybersecurity legislation that would coordinate government and private-sector efforts while respecting individual privacy and civil liberties.

“There is no security issue facing our nation more pressing than cybersecurity,” Greg Schaffer, acting deputy undersecretary for the Homeland Security Department’s National Protection and Programs Directorate, told the House Government Oversight and Reform Committee. “The status quo is simply unacceptable,” he added.

But although there was general agreement on the need for change, a framework for reconciling conflicting interests remains elusive. DHS lacks clear statutory authority to assist companies, companies are reluctant to share information with government, the business community is leery of government regulation, and everyone is worried about liability for gathering and handling sensitive or personal information.

“There is not a single-solution problem,” said Ari Schwartz, senior Internet policy advisor for the National Institute of Standards and Technology.

The president has proposed cybersecurity legislation clarifying DHS’ role, updating the Federal Information Security Management Act for agencies and proposing a regulatory framework for the nation’s operators of critical infrastructure. The Oversight and Reform committee held what Chairman Darrell Issa (R-Calif.) said was the first in what would be a long series of hearings on turning the proposal into a bill.

The process is likely to be complicated.

“Practically every committee in Congress can claim jurisdiction over cybersecurity,” Issa said. He wants his committee to be the lead in developing the legislation.

Issa was concerned about the lack of input from the private sector in the proposal and worried that it would exacerbate what he called a systemic resistance to information sharing. Schaffer said the proposal was shaped by the administration’s long-standing relationship with business interests, but acknowledged there is uncertainty in the private sector in dealing with his agency.

“They are not sure what they are allowed to share and not allowed to share,” he said.

James A. Baker, associate deputy attorney general, said “the key is clarity,” in dealing with business. “We need language that would clearly authorize the sharing,” providing immunity for voluntarily sharing sensitive information and exemptions from the Freedom of Information Act.

Baker said that current law provides implied immunity for sharing sensitive information with government, but this is subject to judicial decisions. Several telecom companies faced legal challenges when it was learned that they had allowed wholesale monitoring by the government of citizens’ communications in the wake of the Sept. 11, 2001 attacks. Issa said explicit immunity for such activity is needed.

Gathering and sharing this information could threaten individual privacy and civil liberties, however. The proposed legislation would require privacy programs approved by the Justice Department for all DHS cybersecurity programs, and would limit the use of monitoring and collection of information to cybersecurity threats. But all sides remained uncertain about how the law could be shaped to adequately balance privacy with collection and sharing of information.

Another area of dispute is regulation of critical infrastructure operators. The president’s proposal was crafted with a minimum of regulatory authority for DHS. Schwartz said the intent is to create a market-driven culture of security that relies on public disclosure to ensure accountability. But Issa complained that exposure of security plans and perceived vulnerabilities would increase risks and unfairly penalize companies.

The alternative to the proposed stick-and-carrot scheme would be outright regulation of critical infrastructure, which the U.S. Chamber of Commerce has objected to.

“The proposal is crafted to give industry a strong voice in developing the solution set,” Schaffer said. But so far it has not managed to fully satisfy any of the stakeholders.